Export limit exceeded: 361702 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 13598 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (13598 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-24376 | 2 Javier Casares, Wordpress | 2 Wpvulnerability, Wordpress | 2026-04-24 | 6.5 Medium |
| Missing Authorization vulnerability in Javier Casares WPVulnerability wpvulnerability allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPVulnerability: from n/a through <= 4.2.1. | ||||
| CVE-2026-24363 | 2 Loopus, Wordpress | 2 Wp Cost Estimation & Payment Forms Builder, Wordpress | 2026-04-24 | 7.5 High |
| Missing Authorization vulnerability in loopus WP Cost Estimation & Payment Forms Builder WP_Estimation_Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cost Estimation & Payment Forms Builder: from n/a through < 10.3.0. | ||||
| CVE-2026-23971 | 2 Wordpress, Xtemos | 2 Wordpress, Woodmart | 2026-04-24 | 8.1 High |
| Deserialization of Untrusted Data vulnerability in xtemos WoodMart woodmart allows Object Injection.This issue affects WoodMart: from n/a through <= 8.3.8. | ||||
| CVE-2026-22512 | 2 Elated-themes, Wordpress | 2 Roisin, Wordpress | 2026-04-24 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Roisin roisin allows PHP Local File Inclusion.This issue affects Roisin: from n/a through <= 1.2.1. | ||||
| CVE-2026-22510 | 2 Ancorathemes, Wordpress | 2 Melody, Wordpress | 2026-04-24 | 8.1 High |
| Deserialization of Untrusted Data vulnerability in AncoraThemes Melody melodyschool allows Object Injection.This issue affects Melody: from n/a through <= 1.6.3. | ||||
| CVE-2026-24972 | 2 Elated-themes, Wordpress | 2 Elated Listing, Wordpress | 2026-04-24 | 6.5 Medium |
| Missing Authorization vulnerability in Elated-Themes Elated Listing eltd-listing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elated Listing: from n/a through <= 1.4. | ||||
| CVE-2026-24362 | 2 Bdthemes, Wordpress | 2 Ultimate Post Kit, Wordpress | 2026-04-24 | 6.4 Medium |
| Missing Authorization vulnerability in bdthemes Ultimate Post Kit ultimate-post-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Post Kit: from n/a through <= 4.0.21. | ||||
| CVE-2026-25360 | 2 Rascals, Wordpress | 2 Vex, Wordpress | 2026-04-24 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in rascals Vex vex allows Object Injection.This issue affects Vex: from n/a through < 1.2.9. | ||||
| CVE-2026-4283 | 2 Legalweb, Wordpress | 2 Wp Dsgvo Tools, Wordpress | 2026-04-24 | 9.1 Critical |
| The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the `super-unsubscribe` AJAX action accepting a `process_now` parameter from unauthenticated users, which bypasses the intended email-confirmation flow and immediately triggers irreversible account anonymization. This makes it possible for unauthenticated attackers to permanently destroy any non-administrator user account (password randomized, username/email overwritten, roles stripped, comments anonymized, sensitive usermeta wiped) by submitting the victim's email address with `process_now=1`. The nonce required for the request is publicly available on any page containing the `[unsubscribe_form]` shortcode. | ||||
| CVE-2025-13997 | 2 Kingaddons, Wordpress | 2 King Addons For Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, Woocommerce, Mega Menu, Popup Builder, Wordpress | 2026-04-24 | 5.3 Medium |
| The King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in all versions up to, and including, 51.1.49 due to the plugin adding the API keys to the HTML source code via render_full_form function. This makes it possible for unauthenticated attackers to extract site's Mailchimp, Facebook and Google API keys and secrets. This vulnerability requires the Premium license to be installed | ||||
| CVE-2026-24976 | 2 Nootheme, Wordpress | 2 Organici Library, Wordpress | 2026-04-24 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in NooTheme Organici Library noo-organici-library allows Object Injection.This issue affects Organici Library: from n/a through <= 2.1.2. | ||||
| CVE-2026-4001 | 2 Acowebs, Wordpress | 2 Woocommerce Custom Product Addons Pro, Wordpress | 2026-04-24 | 9.8 Critical |
| The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/process/price.php. This is due to insufficient sanitization and validation of user-submitted field values before passing them to PHP's eval() function. The sanitize_values() method strips HTML tags but does not escape single quotes or prevent PHP code injection. This makes it possible for unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with custom pricing formula (pricingType: "custom" with {this.value}). | ||||
| CVE-2026-4056 | 2 Wordpress, Wpeverest | 2 Wordpress, User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder | 2026-04-24 | 5.4 Medium |
| The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Content Access Rules REST API endpoints in versions 5.0.1 through 5.1.4. This is due to the `check_permissions()` method only checking for `edit_posts` capability instead of an administrator-level capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to list, create, modify, toggle, duplicate, and delete site-wide content restriction rules, potentially exposing restricted content or denying legitimate user access. | ||||
| CVE-2026-23807 | 2 Wordpress, Wpsocio | 2 Wordpress, Wp Telegram Widget And Join Link | 2026-04-24 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Socio WP Telegram Widget and Join Link wptelegram-widget allows Reflected XSS.This issue affects WP Telegram Widget and Join Link: from n/a through <= 2.2.13. | ||||
| CVE-2026-3079 | 2 Stellarwp, Wordpress | 2 Learndash Lms, Wordpress | 2026-04-24 | 6.5 Medium |
| The LearnDash LMS plugin for WordPress is vulnerable to blind time-based SQL Injection via the 'filters[orderby_order]' parameter in the 'learndash_propanel_template' AJAX action in all versions up to, and including, 5.0.3. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2026-24969 | 2 Designingmedia, Wordpress | 2 Instant Va, Wordpress | 2026-04-24 | 7.7 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Instant VA instantva allows Path Traversal.This issue affects Instant VA: from n/a through <= 1.0.1. | ||||
| CVE-2026-4766 | 2 Devrix, Wordpress | 2 Easy Image Gallery, Wordpress | 2026-04-24 | 6.4 Medium |
| The Easy Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gallery shortcode post meta field in all versions up to, and including, 1.5.3. This is due to insufficient input sanitization and output escaping on user-supplied gallery shortcode values. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-24971 | 2 Elated-themes, Wordpress | 2 Search And Go Theme, Wordpress | 2026-04-24 | 9.8 Critical |
| Incorrect Privilege Assignment vulnerability in Elated-Themes Search & Go searchgo allows Privilege Escalation.This issue affects Search & Go: from n/a through <= 2.8. | ||||
| CVE-2026-3427 | 2 Wordpress, Yoast | 2 Wordpress, Yoast Seo – Advanced Seo With Real-time Guidance And Built-in Ai | 2026-04-24 | 6.4 Medium |
| The Yoast SEO – Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `jsonText` block attribute in all versions up to, and including, 27.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-4662 | 2 Crocoblock, Wordpress | 2 Jetengine, Wordpress | 2026-04-24 | 7.5 High |
| The JetEngine plugin for WordPress is vulnerable to SQL Injection via the `listing_load_more` AJAX action in all versions up to, and including, 3.8.6.1. This is due to the `filtered_query` parameter being excluded from the HMAC signature validation (allowing attacker-controlled input to bypass security checks) combined with the `prepare_where_clause()` method in the SQL Query Builder not sanitizing the `compare` operator before concatenating it into SQL statements. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, provided the site has a JetEngine Listing Grid with Load More enabled that uses a SQL Query Builder query. | ||||